Compromised devices are used to act as proxies forwarding a malicious
base64-encoded PHP script to vulnerable web servers in a new spam
campaign active since May.

The compromised web servers in turn send an email, with link to the scam sites, to specific email addresses. Although currently used for directing the email recipients to scam news and cryptocurrency sites, by using a PHP shell the attackers could exploit the web server even after patching.